Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ayluht
Staff
Staff

Created on ‎08-26-2024 05:15 AM Edited on ‎02-27-2025 05:45 PM By Staff

Article Id 336381

Technical Tip: Proxy based policy using SSH deep inspection is causing SSH public key authentication failure

Description This article describes why SSH public key authentication does not work with proxy-based policy using SSH Deep inspection.
Scope FortiGate.
Solution

The user will not be able to log in to the SSH server with SSH public key when using a proxy-based policy with SSH deep inspection, the key-based authentication will fail.

In the WAD debug, the below error will be seen :


[V]2024-08-02 15:19:14.401020 [p:382][s:1692184241] wad_ssh_userauth_fail_msg_proc :1465 ssh p2s userauth fail: accept_methods 'publickey,gssapi-keyex,gssapi-with-mic,password' partial_success 0

It is expected behavior because, with deep inspection, the proxy must replace the SSH key so the server only sees the key from FortiGate, not from the user, and the authentication would fail.

 

These workarounds can be considered:

  • Using flow-based.
  • Disabling SSH deep inspection in proxy-based policy.

 

For further investigation, open a ticket to Fortinet Technical Support.
365
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.